[U-Boot] [PATCH v3 03/12] image: Add RSA support for image signing

Thu Jun 27 17:45:34 CEST 2013

Hi Tom,

On Thu, Jun 27, 2013 at 5:50 AM, Tom Rini <trini at ti.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/27/2013 02:44 AM, Simon Glass wrote:
> > Hi Masahiro,
> >
> > On Wed, Jun 26, 2013 at 9:08 PM, Masahiro Yamada
> > <yamada.m at jp.panasonic.com <mailto:yamada.m at jp.panasonic.com>>
> > wrote:
> >
> > Hello, Simon.
> >
> >
> > When compiling the master branch, I got an error while a
> > tools/mkimage build.
> >
> >
> > u-boot/lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No
> > such file or directory
> >
> >
> > I think this erorr is caused by commit 19c402a.
> >
> >
> > I searched and installed the necessary package and I could resolve
> > this error.
> >
> > $ apt-file search openssl/rsa.h libssl-dev:
> > /usr/include/openssl/rsa.h $ sudo apt-get install libssl-dev
> >
> >
> > Let me ask a question.
> >
> > Going forward do we always need the openssl development package
> > for creating mkimage tool? Or is it possible to disable RSA feature
> > by some CONFIG option?
> >
> >
> > This is to support verified boot using FIT. Yes it would be
> > possible to make it an option. I had it that way for a while, but
> > then I worried that it would create two versions of mkimage, one
> > of which is incapable of signing images. That means that mkimage
> > would need to be built for a board with verified boot enabled in
> > order to get full functionality.
> >
> > Perhaps another way would be to check for the header and (if not
> > present), silently build without signing support?
>
> Hurk, dang it.. Yes, I think we need to build and go with an error
> message on attempted use.  Skimming the code, we can't rely on
> CONFIG_FIT_SIGNATURE being inherited from the config, on the host
> side, yes?
>

Yes I can make this check CONFIG_FIT_SIGNATURE - as mentioned I had it that
way originally but worred about creating different versions of mkimage.

There is actually code there for this which we can use:

#ifdef CONFIG_FIT_SIGNATURE
fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c
<comment>] [-r]\n"
"          -k => set directory containing private keys\n"
"          -K => write public keys to this .dtb file\n"
"          -c => add comment in signature node\n"
"          -F => re-sign existing FIT image\n"
"          -r => mark keys used as 'required' in dtb\n");
#else
fprintf(stderr, "Signing / verified boot not supported
(CONFIG_FIT_SIGNATURE undefined)\n");
#endif

Let me know if this is the preferred option and I will prepare a patch.

Regards,
Simon